We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bug--|23 previously unknown security bugs, and 10 false positives.
展开▼
机译:我们提出了一种无规范的技术,该技术可以使用访问控制模式的目录查找Web应用程序中缺少的安全检查,其中每种模式都对一个通用的访问控制用例进行建模。我们的实施Space会检查应用程序代码所允许的每个数据公开是否都与我们目录中安全模式所允许的公开相匹配。用户提供的唯一输入是从应用程序类型到目录类型的映射。其余过程是完全自动的。在对Github上50个最受关注的Ruby on Rails应用程序的评估中,Space报告了33个可能的错误-| 23个以前未知的安全错误,以及10个误报。
展开▼